Malware analysis ENCCN_Ransomware_Builder_Cracked.zip Malicious activity

Add for printing

File name:	ENCCN_Ransomware_Builder_Cracked.zip
Full analysis:	https://app.any.run/tasks/6fa6b87f-20fd-4dd0-a147-b71a6166c78c
Verdict:	Malicious activity
Analysis date:	October 23, 2024, 09:01:22
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	api-base64
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=deflate
MD5:	484AAC6D76A5AC96E0FD8F95A3C01ECE
SHA1:	290D8036312D3C1214B73AE8E7B324ECECB16B77
SHA256:	80D50C97FAC897FEAA17E1667E61E7208354E0025EC4E5BBB5358DF4F1DA61A4
SSDEEP:	98304:wv5IC+08Vzw9UAybJEe63Tlkizdazdmr56bJk1bUTMwzNR/5jODdNfUJppy0K/uw:/eKQ14teq9MSyPB8+EifQ6w7khQU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: off
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Starts Visual C# compiler
  - ENCCN_Cracked.exe (PID: 5232)
SUSPICIOUS
- There is functionality for taking screenshot (YARA)
  - ENCCN_Cracked.exe (PID: 5232)
- Executable content was dropped or overwritten
  - ENCCN_Cracked.exe (PID: 5232)
  - csc.exe (PID: 860)
  - A.exe (PID: 1084)
  - csc.exe (PID: 3832)
  - Microsoft.ServiceHub.exe (PID: 4164)
  - csc.exe (PID: 4448)
  - csc.exe (PID: 3940)
- Process drops legitimate windows executable
  - ENCCN_Cracked.exe (PID: 5232)
- Executes as Windows Service
  - Runtime Broker.exe (PID: 6160)
  - Microsoft.ServiceHub.exe (PID: 4164)
- Uses .NET C# to load dll
  - ENCCN_Cracked.exe (PID: 5232)
INFO
- Manual execution by a user
  - WinRAR.exe (PID: 5172)
  - ENCCN_Cracked.exe (PID: 5232)
  - !Encrypted.exe (PID: 7060)
  - A.exe (PID: 1084)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 5172)
- Potential dynamic function import (Base64 Encoded 'GetProcAddress')
  - A.exe (PID: 1084)
- Potential library load (Base64 Encoded 'LoadLibrary')
  - A.exe (PID: 1084)
- Potential access to remote process (Base64 Encoded 'OpenProcess')
  - A.exe (PID: 1084)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	-
ZipCompression:	Deflated
ZipModifyDate:	2019:10:19 09:20:40
ZipCRC:	0x3dcba6fa
ZipCompressedSize:	23995
ZipUncompressedSize:	54304
ZipFileName:	ENCCN Ransomware Builder Cracked/ENCCN.Converters.dll

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

154

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

692

C:\WINDOWS\system32\OpenWith.exe -Embedding

C:\Windows\System32\OpenWith.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Pick an app

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

860

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\4smluuqi.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

ENCCN_Cracked.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Visual C# Command Line Compiler

Exit code:

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

920

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESB461.tmp" "c:\Program Files\ECCT\CSCF4C68FBA2CA4DC8A423EAD717854DFA.TMP"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

—

csc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Microsoft® Resource File To COFF Object Conversion Utility

Exit code:

Version:

14.32.31326.0

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

1084

"C:\Users\admin\Desktop\ENCCN_Ransomware_Builder_Cracked\ENCCN Ransomware Builder Cracked\Results\Encryption\2024-10-23 09-04-51\A.exe"

C:\Users\admin\Desktop\ENCCN_Ransomware_Builder_Cracked\ENCCN Ransomware Builder Cracked\Results\Encryption\2024-10-23 09-04-51\A.exe

explorer.exe

User:

admin

Integrity Level:

HIGH

Description:

Version:

0.0.0.0

Modules

Images
c:\users\admin\desktop\enccn_ransomware_builder_cracked\enccn ransomware builder cracked\results\encryption\2024-10-23 09-04-51\a.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

1196

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\WINDOWS\TEMP\2ugbupvb\2ugbupvb.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

—

Microsoft.ServiceHub.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Visual C# Command Line Compiler

Exit code:

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll

1344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESE029.tmp" "c:\Users\admin\Desktop\ENCCN_Ransomware_Builder_Cracked\ENCCN Ransomware Builder Cracked\Results\Encryption\2024-10-23 09-04-51\CSCC09A8D8D28B4D71AA9DB8F35BB676B6.TMP"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

—

csc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft® Resource File To COFF Object Conversion Utility

Exit code:

Version:

14.32.31326.0

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\cvtres.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll

1744

"C:\Program Files\ECCT\Runtime Broker.exe" install

C:\Program Files\ECCT\Runtime Broker.exe

A.exe

User:

admin

Integrity Level:

HIGH

Description:

Exit code:

Version:

0.0.0.0

Modules

Images
c:\program files\ecct\runtime broker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

2184

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

csc.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3432

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

csc.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3772

C:\WINDOWS\system32\OpenWith.exe -Embedding

C:\Windows\System32\OpenWith.exe

—

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Pick an app

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\openwith.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

Add for printing

Total events

13 509

Read events

13 375

Write events

115

Delete events

Modification events


(PID) Process:	(5940) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(5940) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\ENCCN_Ransomware_Builder_Cracked.zip
(PID) Process:	(5940) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(5940) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5940) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(5940) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(5940) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:	write	Name:	Placement
Value: 2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:	(5940) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	name
Value: 256
(PID) Process:	(5940) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(5940) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:	write	Name:	psize
Value: 80

Add for printing

Executable files

202

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
5172	WinRAR.exe	C:\Users\admin\Desktop\ENCCN_Ransomware_Builder_Cracked\ENCCN Ransomware Builder Cracked\ENCCN.Converters.dll		executable
		MD5:B47866A56F4CC171211E3EF64D6CED73	SHA256:7514513F19CA1DFD021ACE7666B03E8DBA1940268DABEED4CE2CFC9523973301
5172	WinRAR.exe	C:\Users\admin\Desktop\ENCCN_Ransomware_Builder_Cracked\ENCCN Ransomware Builder Cracked\ENCCN.Enumerables.dll		executable
		MD5:7C25E04937D02504063EA6B37936C6F3	SHA256:B6EA38BA136119E7FDE123904310178A23CE46AB1D4D0FC9D80F8D40BF74FB1E
5172	WinRAR.exe	C:\Users\admin\Desktop\ENCCN_Ransomware_Builder_Cracked\ENCCN Ransomware Builder Cracked\ENCCN.Html.dll		executable
		MD5:F5C2B241F13EB5EE1A45E4A57BE94468	SHA256:1806BE428B3E27A285B2B26063A9779A82047896E39E891AFB1327CF01684313
5172	WinRAR.exe	C:\Users\admin\Desktop\ENCCN_Ransomware_Builder_Cracked\ENCCN Ransomware Builder Cracked\ENCCN.ViewModels.Converters.dll		executable
		MD5:6928263F42233A3F9678BB40F2289645	SHA256:7DD944E852242F0A5CC072E9256D68F1587CD39EB36DDB41F3A346EB652D5565
5172	WinRAR.exe	C:\Users\admin\Desktop\ENCCN_Ransomware_Builder_Cracked\ENCCN Ransomware Builder Cracked\ENCCN.Html.Winforms.dll		executable
		MD5:D9ACD867FBAFEC0430C39DBE8A5C9EE6	SHA256:77DE9AE6AD5EDD65F1AA514EA5FC582EA1A99AEEA7EF2E8D8D6A96BD065B3016
5172	WinRAR.exe	C:\Users\admin\Desktop\ENCCN_Ransomware_Builder_Cracked\ENCCN Ransomware Builder Cracked\ENCCN.Exceptions.dll		executable
		MD5:BAC25DD9E95EBC9F8D5EC9BD5FC16069	SHA256:DCA0B79012D5B576F9D77DD5FFFCC6FAA463E8A65CC1F60950FEF828C0E02204
5172	WinRAR.exe	C:\Users\admin\Desktop\ENCCN_Ransomware_Builder_Cracked\ENCCN Ransomware Builder Cracked\ENCCN.Validators.dll		executable
		MD5:B8E810A1224F410FDB674060B9A7DB4F	SHA256:2E43CD35CBF0F9E408FA8DBF073633800DA55460DA6074E9116BA48A62FA7C3A
5172	WinRAR.exe	C:\Users\admin\Desktop\ENCCN_Ransomware_Builder_Cracked\ENCCN Ransomware Builder Cracked\Newtonsoft.Json.dll		executable
		MD5:4DF6C8781E70C3A4912B5BE796E6D337	SHA256:3598CCCAD5B535FEA6F93662107A4183BFD6167BF1D0F80260436093EDC2E3AF
5172	WinRAR.exe	C:\Users\admin\Desktop\ENCCN_Ransomware_Builder_Cracked\ENCCN Ransomware Builder Cracked\ENCCN.ViewModels.dll		executable
		MD5:D0F0A621AFD7BF3873D679C7FEF5F754	SHA256:40D629DE02437F69FDB32169E82FF5FD3CF728C88BA84448741414113A7F1721
5172	WinRAR.exe	C:\Users\admin\Desktop\ENCCN_Ransomware_Builder_Cracked\ENCCN Ransomware Builder Cracked\ENCCN_Cracked.exe		executable
		MD5:5F02089B271B66A97250736C6224089D	SHA256:1F9FAE233823421C569B37C87405C33A3C980BB842038F4A00C0AB9FB5763118

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5488	MoUsoCoreWorker.exe	GET	200	2.16.164.120:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5488	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4360	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
2364	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
4232	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
4232	SIHClient.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
6800	backgroundTaskHost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
5700	RUXIMICS.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5488	MoUsoCoreWorker.exe	2.16.164.120:80	crl.microsoft.com	Akamai International B.V.	NL	whitelisted
5488	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
4360	SearchApp.exe	2.23.209.183:443	www.bing.com	Akamai International B.V.	GB	whitelisted
4360	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
6944	svchost.exe	20.73.194.208:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4020	svchost.exe	239.255.255.250:1900	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	2.16.164.120 2.16.164.49	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
www.bing.com	2.23.209.183 2.23.209.178 2.23.209.169 2.23.209.171 2.23.209.181 2.23.209.168 2.23.209.173 2.23.209.182 2.23.209.177	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
google.com	142.250.181.238	whitelisted
login.live.com	40.126.32.76 40.126.32.72 40.126.32.134 40.126.32.133 40.126.32.140 40.126.32.68 40.126.32.74 40.126.32.138	whitelisted
th.bing.com	2.23.209.160 2.23.209.156 2.23.209.150 2.23.209.149 2.23.209.143 2.23.209.144 2.23.209.162 2.23.209.164 2.23.209.157	whitelisted
go.microsoft.com	184.28.89.167	whitelisted
settings-win.data.microsoft.com	4.231.128.59	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted

Threats

No threats detected

Add for printing

Process	Message
Runtime Broker.exe	Topshelf.HostFactory Information: 0 :
Runtime Broker.exe	Configuration Result: [Success] Name RuntimeBroker [Success] DisplayName Runtime Broker [Success] Description Windows Runtime Broker local service. [Success] ServiceName RuntimeBroker
Runtime Broker.exe	Topshelf.HostConfigurators.HostConfiguratorImpl Information: 0 :
Runtime Broker.exe	Topshelf v4.2.1.215, .NET Framework v4.0.30319.42000
Runtime Broker.exe	Topshelf.Runtime.Windows.HostInstaller Information: 0 :
Runtime Broker.exe	Installing Runtime Broker service
Microsoft.ServiceHub.exe	Topshelf.HostFactory Information: 0 :
Microsoft.ServiceHub.exe	Configuration Result: [Success] Name Microsoft.ServiceHub [Success] DisplayName Microsoft ServiceHub [Success] Description Microsoft Windows Service Hub local service. [Success] ServiceName Microsoft.ServiceHub
Microsoft.ServiceHub.exe	Topshelf.HostConfigurators.HostConfiguratorImpl Information: 0 :
Microsoft.ServiceHub.exe	Topshelf v4.2.1.215, .NET Framework v4.0.30319.42000

General Info

ENCCN_Ransomware_Builder_Cracked.zip

484AAC6D76A5AC96E0FD8F95A3C01ECE

290D8036312D3C1214B73AE8E7B324ECECB16B77

80D50C97FAC897FEAA17E1667E61E7208354E0025EC4E5BBB5358DF4F1DA61A4

98304:wv5IC+08Vzw9UAybJEe63Tlkizdazdmr56bJk1bUTMwzNR/5jODdNfUJppy0K/uw:/eKQ14teq9MSyPB8+EifQ6w7khQU

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Starts Visual C# compiler

SUSPICIOUS

There is functionality for taking screenshot (YARA)

Executable content was dropped or overwritten

Process drops legitimate windows executable

Executes as Windows Service

Uses .NET C# to load dll

INFO

Manual execution by a user

Executable content was dropped or overwritten

Potential dynamic function import (Base64 Encoded 'GetProcAddress')

Potential library load (Base64 Encoded 'LoadLibrary')

Potential access to remote process (Base64 Encoded 'OpenProcess')

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings